Trust at Pluralsight
Pluralsight's mission is to democratize technology skills. Central to that mission is our commitment to be transparent about how we protect our customer's data by comprehensively implementing security by design and privacy by default.
- Endpoint security: Pluralsight endpoints (e.g. employee laptops) are all managed by a mobile device management (MDM) solution. This enforces full-disk encryption, firewall requirements, anti-virus protection, URL filtering protection, administrative privilege restriction, and USB write restriction while also requiring pin or password requirements and screen lockout time frames.
Mobile devices (e.g. personal phones) housing customer data are also managed by this MDM solution. This enforces full-disk encryption, pin or password requirements, and screen lockout time frames.
- Security monitoring & operations: Pluralsight security teams operate a Security Incident and Event Monitoring (SIEM) tool to monitor, aggregate, correlate, and alert on security events across the organization. Operational procedures include: Maintaining alerting thresholds, collecting security events of interest (EOI’s), searching for indicators of compromise (IOCs), maintaining and conducting security incident response, threat intelligence gathering and threat hunting.
- Access control: Pluralsight employs the principle of Least Privilege, which grants access to information to personnel with a legitimate “need to know” business or job function while limiting user privileges in order to preserve the Confidentiality, Integrity, and Availability of information.
- Patch management: Patches are applied regularly or expedited appropriately (i.e. if an identified vulnerability of heightened criticality is identified).
- Incident management: Pluralsight has developed a formal Incident Response Plan used to provide a defined, organized approach to handling information security incidents. The Chief Information Security Officer is responsible for the oversight of incident management. This team consists of certified professionals with extensive experience in Application Security, IT Security, Security Operations, Incident Response, Risk Management, and Compliance. Incident Response policies and procedures are updated and tested at least annually. To report a suspected incident, please reach out to email@example.com
UPDATE 3/31/23: STATEMENT
Pluralsight systems and infrastructure are secure and have not been compromised. If you are a customer and use any of our products, including Pluralsight Skills, Pluralsight Flow, or A Cloud Guru, there is absolutely no issue or security concern with your implementation. We take our responsibility to protect and secure customers' information very seriously.
Mitch Jones, CISO
All products on Pluralsight’s platform follow the same secure practices to keep customer data safe.
- Network security: Pluralsight adheres to industry best practices of segmenting networks logically with firewalls and access control lists (ACLs). Network access is restricted to authorized individuals and network availability is monitored by the Operations and IT teams. Remote access to the production environment is limited to authorized technology teams. VPN entry points provide controlled access to environments using multi-factor authentication.
- Application security: Pluralsight leverages application scanning technologies to detect common issues within our custom code. Common methodologies and practices (such as OWASP top 10 and industry secure coding practices) are followed.
Open source code dependencies are tracked and managed by development teams. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.
- Web Application Firewall (WAF): Pluralsight has partnered with CloudFlare to implement Web Application Firewall capabilities into the Pluralsight platform. These capabilities (and others) are managed by the product security teams and incorporate best practices for mitigations against the main types of attacks seen against online platforms such as: DDoS protection, brute force attacks, credential stuffing, etc. In addition to network security controls applied at the enterprise level, advanced mitigation techniques are employed to protect against malicious attempts and to block bad actors from impacting Pluralsight systems.
- Perimeter protections: The Pluralsight platform uses integrated access controls and security groups to limit the exposure of internal services to the world wide web. Load balancing and proxies are also used to frontend any external services to provide a single exposure point for securing, monitoring, and alerting. Intrusion detection systems (IDS) and/or technologies are implemented to detect ingress and egress security issues.
- Server hardening: Pluralsight promotes internal server hardening guidelines to ensure that new infrastructure is appropriately safeguarded by disabling unnecessary ports, changing default passwords, and applying custom controls to each server before being put into production.
- Identity: Pluralsight offers Multi-Factor Authentication (MFA) to confirm customer identity by using a combination of different factors, rather than password alone. With multi-factor authentication, customers have the option of using an authenticator app on their smartphone to generate a code. This code, used in conjunction with user email address and password, will guard accounts and be used to log in to the Pluralsight platform. Pluralsight also offers Single Sign On (SSO) for Enterprise Customers.
- Availability: An important feature of Pluralsight is the ability to securely access the learning platform at any time, from any device, and from any location. Our platform is designed to be highly available. Clustered elastic load balancers (ELBs) and high availability proxies (HAProxy) are utilized to ensure our learning services are always accessible.
- Data storage: Pluralsight is hosted in Amazon Web Services (AWS) and is therefore protected by the same level of logical and physical security controls that AWS has for all clients. AWS maintains their own documentation and certifications for security and regulatory compliance. Data is replicated across multiple availability zones and regions.
- Encryption / Cryptology:
Data in transit
All data transferred to destinations outside of Pluralsight environments via the Pluralsight website are encrypted via TLS 1.2 (or higher) using at least 2048 bit RSA.
Data at rest
All Pluralsight provided devices are encrypted and the recovery key centrally managed and stored by the IT team.
- Secure software development practices: Pluralsight promotes an effective and secure software development lifecycle (SDLC) that includes, among other requirements, code reviews for feature enhancements, bug fixes, emergency changes, and incident management. The agile nature of this process allows teams to follow their own release cycles and provide continuous improvement without creating a bottleneck.
Precautions are taken to identify any potential vulnerabilities that could lead to an incident by having an impact on the confidentiality, integrity and/or the availability of our service. Some of those precautions include:- Vulnerability scanning
- Annual Security Awareness Training
- Annual Secure Code Training
- Penetration Tests
- Bug Bounties
- Code Scanning (DAST/SAST)
- Disaster recovery/business continuity: Pluralsight’s Disaster Recovery Plan (DRP) is validated annually to ensure all customer information can be recovered quickly, accurately, and efficiently. All customer data is backed up daily via snap-shots housed in a separate cloud region.
Additionally, Pluralsight’s Business Continuity Plan (BCP) is designed to provide immediate response and subsequent recovery from any unplanned business interruption including any business interruption which results in the loss of a critical service (power, computer services, telecommunications, etc.), loss of access to the facility (asbestos contamination, chemical spill, etc.) or loss of the facility (fire, natural disaster, etc.)
Governance, Risk, & Compliance
- Compliance offerings: Pluralsight works with several accredited third parties to conduct industry assessments and compliance reviews of internal policies, processes, and guidelines as they relate to security and compliance controls. Please work with your account representative to obtain the reports and certifications that Pluralsight has available including:
- ISO 27001 Certification (Skills & Flow)
- SOC 2 Report (Type 2 - Skills & Flow, Type 1 - A Cloud Guru)
- Laws & regulations: Pluralsight is committed to complying with all legal, statutory, and regulatory requirements. This includes, but is not limited to, laws, statutes, and regulations related to employment, consumer protection, privacy, securities-related laws, and contractual obligations.
For more information regarding data processing agreement at Pluralsight, please reference our page at: https://www.pluralsight.com/terms/dpa
At Pluralsight, our mission is to democratize technology skills. Central to that mission is our commitment to be transparent about how we protect our customer’s data by comprehensively implementing security by design and privacy by default.
One way in which we protect our customer data is by engaging the services of independent security researchers through HackerOne, which manages Pluralsight’s security bug bounty program. If you believe you have discovered a security vulnerability, please contact us at: firstname.lastname@example.org. When submitting your vulnerability please include detailed information that will allow us to replicate and validate your submission. While your work in helping us secure our site is greatly appreciated we ask that you limit the scope of your research to exclude the following:
Accessing, attempting to access, downloading, modifying, destroying or corrupting, or attempting to destroy or corrupt data or information that does not belong to you.
Executing or attempting to execute actions that may affect Pluralsight customers (i.e., Denial of Service attacks, Brute Force, Spam).
Testing in a way that would degrade Pluralsight systems.
In response, Pluralsight commits to reviewing and responding to your submission in a timely manner after its criticality has been assessed and remediation has begun. In return, we ask that you do not disclose the information you have discovered with or to any third party.